Re: [ActiveDir] ADFS and certs
Perhaps Tomasz and I should blog about this more for now. :) Yeah, you guys do that please! This looks like it's taking off, and some of it is a real black art for some infrastructure people... --Paul - Original Message - From: Joe Kaplan [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Monday, September 25, 2006 12:10 AM Subject: Re: [ActiveDir] ADFS and certs Yeah, the real step by step guide isn't so bad per say. What it tries to do is give you a simple path to having an easy demo set up of ADFS going so you can kick the tires. For that, it is ok. Where it doesn't cross the gap very well is in providing guidance on how to apply the lessons learned to real scenarios. Because ADFS relies on certificates for both SSL/HTTP and the signing of security tokens, you need certificates to use it. In order to get through the step by step guide successfully, they chose to use the self-issued model, as it is really the only simple way to get SSL certs without spending money or setting up a CA. However, it does leave you with self-signed certs, which is not where you want to end up. I think that either the step by step guide needs to provide more guidance and explanation of the steps and how to apply them, or the other documentation for ADFS needs to fill this gap. As it stands now, there is still no good guidance on how to procure your certificates and what the various trade-offs are for the possible ways to go about this. People who already know PKI will be able to fill in the details, but many people will be left scratching their heads. Perhaps Tomasz and I should blog about this more for now. :) Joe K. - Original Message - From: Tomasz Onyszko [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Sunday, September 24, 2006 3:16 PM Subject: Re: [ActiveDir] ADFS and certs Rick Kingslan wrote: Joe, Tomasz - Yep, you're right that it may tend to show a bad precedent for people to follow. I haven't taken a look at these particular labs (and having just come back from a long hiatus, I didn't see the referenced lab) but is the guidance there as to what Best or Preferred Practices SHOULD BE? You can check this lab here: http://www.microsoft.com/downloads/details.aspx?familyid=062F7382-A82F-4428-9BBD-A103B9F27654displaylang=en No You will not find there any guidance on best practices there and maybe this is not the best place, but I'm not aware of any other ADFS related doc which deals in details with best practices and description of usage for certificates in ADFS deployment. If not - I find that the bigger problem than the fact that self-certs are being used at all. -- Tomasz Onyszko http://www.w2k.pl/ - (PL) http://blogs.dirteam.com/blogs/tomek/ - (EN) List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] ADFS and certs (was: SUBDOMAIN AND LDAP)
I agree that there is a certain amount of pain with certs and ADFS, although I don't think it is really that hard, especially if you go the commercial route. The thing I like about it is that since it requires you to get this working to use it, it is secure by default. You have little ability to hoist yourself by your own petards, so to speak. :) There are really two parts to the ADFS cert story, the SSL/HTTP part and the token signing cert part. The SSL/HTTP part is a little more straightforward and is the kind of thing that lots of organizations do successfully already on their public websites now. You really only tend to get yourself in trouble if you want to self issue certs and do things like issue from your own root or publish your CRL in a non-public place. The token signing cert part of ADFS is much more black magic and needs more guidance. Even with certs that work perfectly fine for SSL, we had trouble using them for token signing due to the additional CRL checking that ADFS does and had to disable that in policy. I think similar things happened to you guys with one of your partner's token signing certs in your own internal implementation. CRL is an important idea whose implementation is basically broken in the general case, as there is no reasonable way to always get the CRL programmatically. Windows could do a lot better with tool support for troubleshooting this and better error messages though (kind of like Kerberos delegation; too hard as it stands!). I'm sure my experiences are influenced by the fact that I already know a fair amount about certs and SSL, having spent a full year of my life implementing an automated certificate provisioning system for end user signing and encryption certs that ties into our overall identity management process. I can totally see how there is a bunch of mumbo jumbo to overcome for those not really familiar with PKI. At least in this case, though, the mumbo jumbo (PKI) is pretty much the same on Linux or Sun as it is on Windows. It doesn't really hurt the adoption of protocol itself across platforms. I also think the ADFS step by step guide leads people down a dark path, in that all the demos are set up with selfssl and self-issued certs, which are ok for demos, but not cool for production (IMO). The path to get from the demo set up in step by step to your actual scenario is not always easy to do. I think our internal proof of concept was more successful because we tried to build our POC the way we thought we'd actually use the product internally, rather than using the Adatum/Trey Research scenarios. As with most new things that take some thought to implement, the skills and experiences needed to crank out good implemenations quickly will lag the product for a while. I'm sure the first year or two (or maybe more!) of AD installs were slow and a little crappy too. I still like the product though. :) I think the places where it is sound, it is very sound. It has a good base to build on. Joe K. - Original Message - From: Eric Fleischman [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Sunday, September 24, 2006 1:25 PM Subject: RE: [ActiveDir]SUBDOMAIN AND LDAP Yes, we should file a bug for AD. I'll take this offline with you. On the SSL front, it's interesting that you see this as a strength of ADFS. I would argue the opposite. Cert infrastructures are non-trivial to configure or maintain, I always saw it as a downside to ADFS that it requires one to get a PhD is certology and make this work not only for you but across organizations, assuming you use it in this way. Of course, the real solution to all of this is making a cert infrastructure as easy to run as, say, the key infrastructure that makes Kerberos just work for you. ~Eric -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Joe Kaplan Sent: Sunday, September 24, 2006 10:49 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir]SUBDOMAIN AND LDAP That's very cool, Eric. I had no idea that setting existed in ADAM. Any change of sneaking that into the AD stack? I agree that it only solves half the problem, but at least by preventing this from working at all, it keeps people from setting up apps that will do unsecure simple binds thousands of times per day for years. There is only so much you can do. I also agree that SSL just isn't that easy and can't be, just because of the way it works. That doesn't stop me from wishing it was. :) One thing I like about ADFS is that you have to use SSL to play, so you can't even get yourself in trouble. I'll definitely file a bug on the audit thing. I think that would be nice, even with ADAM in the mode to reject insecure simple binds, because you could find out which clients are attempting it. Joe K. - Original Message - From: Eric Fleischman [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Sunday,
Re: [ActiveDir] ADFS and certs
Joe Kaplan wrote: (...) I also think the ADFS step by step guide leads people down a dark path, in that all the demos are set up with selfssl and self-issued certs, which are ok for demos, but not cool for production (IMO) (...) Will jump with few word from myself again - I can agree on Your point regarding step by step in 100%. When I've tried to setup my first ADFS lab I've decided to use Windows 2003 CA instead of Self issued certs and for me it was far more natural way to use ADFS than this not-realistic SelfSSL scenario, which may be confusing for users. I've exchanged e-mail with peoples on internal mailing list few times about it and one good information is that this point was taken and updated version of step by step document for ADFS should be better on this. -- Tomasz Onyszko http://www.w2k.pl/ - (PL) http://blogs.dirteam.com/blogs/tomek/ - (EN) List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] ADFS and certs
Joe, Tomasz - Yep, you're right that it may tend to show a bad precedent for people to follow. I haven't taken a look at these particular labs (and having just come back from a long hiatus, I didn't see the referenced lab) but is the guidance there as to what Best or Preferred Practices SHOULD BE? If not - I find that the bigger problem than the fact that self-certs are being used at all. Rick From: Tomasz Onyszko [EMAIL PROTECTED] Reply-To: ActiveDir@mail.activedir.org To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] ADFS and certs Date: Sun, 24 Sep 2006 21:21:53 +0200 Joe Kaplan wrote: (...) I also think the ADFS step by step guide leads people down a dark path, in that all the demos are set up with selfssl and self-issued certs, which are ok for demos, but not cool for production (IMO) (...) Will jump with few word from myself again - I can agree on Your point regarding step by step in 100%. When I've tried to setup my first ADFS lab I've decided to use Windows 2003 CA instead of Self issued certs and for me it was far more natural way to use ADFS than this not-realistic SelfSSL scenario, which may be confusing for users. I've exchanged e-mail with peoples on internal mailing list few times about it and one good information is that this point was taken and updated version of step by step document for ADFS should be better on this. -- Tomasz Onyszko http://www.w2k.pl/ - (PL) http://blogs.dirteam.com/blogs/tomek/ - (EN) List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx _ The next generation of Search—say hello! http://imagine-windowslive.com/minisites/searchlaunch/?locale=en-usFORM=WLMTAG List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] ADFS and certs
Rick Kingslan wrote: Joe, Tomasz - Yep, you're right that it may tend to show a bad precedent for people to follow. I haven't taken a look at these particular labs (and having just come back from a long hiatus, I didn't see the referenced lab) but is the guidance there as to what Best or Preferred Practices SHOULD BE? You can check this lab here: http://www.microsoft.com/downloads/details.aspx?familyid=062F7382-A82F-4428-9BBD-A103B9F27654displaylang=en No You will not find there any guidance on best practices there and maybe this is not the best place, but I'm not aware of any other ADFS related doc which deals in details with best practices and description of usage for certificates in ADFS deployment. If not - I find that the bigger problem than the fact that self-certs are being used at all. -- Tomasz Onyszko http://www.w2k.pl/ - (PL) http://blogs.dirteam.com/blogs/tomek/ - (EN) List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] ADFS and certs
Yeah, the real step by step guide isn't so bad per say. What it tries to do is give you a simple path to having an easy demo set up of ADFS going so you can kick the tires. For that, it is ok. Where it doesn't cross the gap very well is in providing guidance on how to apply the lessons learned to real scenarios. Because ADFS relies on certificates for both SSL/HTTP and the signing of security tokens, you need certificates to use it. In order to get through the step by step guide successfully, they chose to use the self-issued model, as it is really the only simple way to get SSL certs without spending money or setting up a CA. However, it does leave you with self-signed certs, which is not where you want to end up. I think that either the step by step guide needs to provide more guidance and explanation of the steps and how to apply them, or the other documentation for ADFS needs to fill this gap. As it stands now, there is still no good guidance on how to procure your certificates and what the various trade-offs are for the possible ways to go about this. People who already know PKI will be able to fill in the details, but many people will be left scratching their heads. Perhaps Tomasz and I should blog about this more for now. :) Joe K. - Original Message - From: Tomasz Onyszko [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Sunday, September 24, 2006 3:16 PM Subject: Re: [ActiveDir] ADFS and certs Rick Kingslan wrote: Joe, Tomasz - Yep, you're right that it may tend to show a bad precedent for people to follow. I haven't taken a look at these particular labs (and having just come back from a long hiatus, I didn't see the referenced lab) but is the guidance there as to what Best or Preferred Practices SHOULD BE? You can check this lab here: http://www.microsoft.com/downloads/details.aspx?familyid=062F7382-A82F-4428-9BBD-A103B9F27654displaylang=en No You will not find there any guidance on best practices there and maybe this is not the best place, but I'm not aware of any other ADFS related doc which deals in details with best practices and description of usage for certificates in ADFS deployment. If not - I find that the bigger problem than the fact that self-certs are being used at all. -- Tomasz Onyszko http://www.w2k.pl/ - (PL) http://blogs.dirteam.com/blogs/tomek/ - (EN) List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx